Subject: Re: rpc xid randomness
To: Thor Lancelot Simon <>
From: Frank van der Linden <>
List: tech-security
Date: 09/06/2003 21:00:08
On Sat, Sep 06, 2003 at 03:00:32PM -0400, Thor Lancelot Simon wrote:
> I don't think it actually does matter.  I also know that Larry McVoy
> measured the overhead of randomizing RPC XIDs (and PIDs, and a number of 
> other things that OpenBSD randomizes) and concluded that it was quite large,
> for the net benefit (which I believe he correctly characterized as small
> or, in some cases, nonexistent).

I agree. If you want secure RPC, then do it the proper way, and import
the actual authenticated secure RPC code (which will be needed for other
purposes, like NFSv4, anyway). We don't have it yet, but I think
at least one of Free/OpenBSD does have it.

- Frank